need help with ipset

need help with ipset

[Mike Wright]

Hi netfilter users,

Trying to use ipset but having no joy.

O/S is Fedora Core 4, kernel is linux-2.6.16-xen.

I'm using the instructions from ipset.netfilter.net/install.html.
Kernel readied, patch applied, kernel built, iptables built, ipset
built, no errors reported.  Only issue was that everything wanted to
install into /usr/local.  The Makefile was changed to use this:

PREFIX:=/
LIBDIR:=$(PREFIX)/lib
BINDIR:=$(PREFIX)/sbin
MANDIR:=$(PREFIX)/usr/share/man
INCDIR:=$(PREFIX)/usr/include

I've built and installed the libipset*.so modules into both
/lib/iptables and /lib/ipset.

When iptables is started it reports v1.3.5 and seems to work with my
previous iptables rules.

Trying to create a set:
    "ipset -N TEST iphash" fails with:
       ipset v2.2.9: Error from kernel: Protocol not available

On google I found a user with that error, but said he had success once
he loaded the module (didn't say how he did it though).  Reading man
iptables says that modules will be loaded implicitly by specifying a
protocol, i.e -p tcp,etc or explicitly by specifying a -m "module", so I
tried this:
   "iptables -A INPUT -m set --set TEST dst -j ACCEPT" and got
      "iptables v1.3.5: Problem when communicating with ipset, errno=92"

(errno=92 is ENOPROTOOPT /* protocol not supported */)

Here are my kernel configs for ipset:
  <M> IP set support
  (256) Maximum number of IP sets
  (1024) Hash size for bindings of IP sets
  < >  ipmap set support
  < >  macipmap set support
  < >  portmap set support
  <M>  iphash set support
  < >  nethash set support
  < >  ipporthash set support
  < >  iptree set support
  <M>   set match support
  <M>   SET target support

Docs are pretty sparse on this, so it could very well be PEBCAK.

Any help would be very appreciated.

Thanks,
Mike Wright :m)

Re: need help with ipset

[Jozsef Kadlecsik]

On Sun, 10 Sep 2006, Mike Wright wrote:

> Trying to create a set:
>     "ipset -N TEST iphash" fails with:
>        ipset v2.2.9: Error from kernel: Protocol not available

The ipset binary isn't smart enough to autoload the ip_set kernel module,
you need to load it manually (or via /etc/modules at system boot time):

# modprobe ip_set

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary

Re: need help with ipset

[Mike Wright]

Jozsef Kadlecsik wrote:

 > On Sun, 10 Sep 2006, Mike Wright wrote:
 >
 >> Trying to create a set:
 >>    "ipset -N TEST iphash" fails with:
 >>       ipset v2.2.9: Error from kernel: Protocol not available
 >
 >
 >
 > The ipset binary isn't smart enough to autoload the ip_set kernel module,
 > you need to load it manually (or via /etc/modules at system boot time):
 >
 > # modprobe ip_set
 >
Thanks Jozsef.  (Sorry for private reply.  Meant to reply to the list.) 
  That worked.  Also had to modprobe ip_set_iphash.

Still can't get iptables to recognize my set.  Can't find which step 
I've missed.  Here's the ipset -L

  Name: BADIPS
  Type: iphash
  References: 0
  Default binding:
  Header: hashsize: 1024 probes: 8 resize: 50
  Members:
  3.4.5.6
  2.3.4.5
  1.2.3.4
  Bindings:

...and modules
   lsmod |grep ip_set
     ip_set_iphash           8164  1
     ip_set                 20828  2 ip_set_iphash

Now I want to add a rule to iptables.

   "iptables -A INPUT -m set --set BADIPS src -j DROP"

But it errs with

   "iptables: No chain/target/match by that name"

It seems that iptables does not know about BADIPS? <Grasping />

If anyone knows what is missing I would sure appreciate the help :)

Thanks,
Mike Wright

 > Best regards,
 > Jozsef

Re: need help with ipset

[Mr Ritter]

Mike Wright wrote:
> Now I want to add a rule to iptables.
> 
>   "iptables -A INPUT -m set --set BADIPS src -j DROP"

How about:

iptables -t filter -A INPUT -m set --set BADIPS src -j DROP


--
Ritter

Re: need help with ipset

[Mike Wright]

Mr Ritter wrote:
> Mike Wright wrote:
> 
>> Now I want to add a rule to iptables.
>>
>>   "iptables -A INPUT -m set --set BADIPS src -j DROP"
> 
> 
> How about:
> 
> iptables -t filter -A INPUT -m set --set BADIPS src -j DROP
> 

Thanks for the reply.  No joy.  Also tried specifying a protocol 
thinking it might require one but that had no effect either.  Other 
insights?

:m)


> 
> -- 
> Ritter
> 
> 
> 
> 

iptables - port forwarding in LAN

[Snehasis Sinha]

Hi,

I am trying to port forward in a closed (not connected to real internet or outside network) network (LAN) to a machine; but could not do it successfully. the senerio is:

I have a host_a (10.5.1.100), host_b (10.5.1.200) and host_c (10.5.1.150) connected among themselves. from host_c i am accessing http service at host_a using http://10.5.1.100:80. I can access tomcat server using http://10.5.1.200:8080, from host_c. now I want to use http://10.5.1.100:80 to access 10.5.1.200:8080 from the same host (host_c), ie. all http requests targetted to 10.5.1.100:80 should be redirected to 10.5.1.200:8080, so that pages from host_b:8080 comes to host_c but appear to come from host_a:80

how to do that using iptables. please advise.
thanks in advance

-snehasis

Re: need help with ipset [SOLVED]

[Mike Wright]

> Now I want to add a rule to iptables.
> 
>   "iptables -A INPUT -m set --set BADIPS src -j DROP"
> 
> But it errs with
> 
>   "iptables: No chain/target/match by that name"
> 
> It seems that iptables does not know about BADIPS? <Grasping />

Sorry for the noise.  This was not an ipset problem.  It was operator 
error.  My kernel modules got out of sync.  There is a BIG difference 
between "make modules install" and "make modules_install".

Thanks for the ipset module, Jozsef.  It replaced a really UGLY iptables 
ruleset with a very elegant one line solution.

:m)

RE: iptables - port forwarding in LAN

[Snehasis Sinha]

-------- Original Message --------
Subject: 	[?] RE: iptables - port forwarding in LAN
Date: 	Mon, 18 Sep 2006 17:13:39 +0200
From: 	Sietse van Zanen <sietse@wizdom.nu>
To: 	Snehasis Sinha <ssinha@connectivasystems.com>
References: 	<4504CC74.3040607@mailinator.com> 
<Pine.LNX.4.58.0609140855340.18386@blackhole.kfki.hu> 
<450AD4EE.3050205@mailinator.com> <450AD69F.9000506@candlefire.org> 
<450AD8D4.7040008@mailinator.com>, <450E8D0F.2070909@connectivasystems.com>



You will have to pull of quite some tricks to make that work, as all 
your hosts are on the same subnet. This is what happens when you just 
try NAT:
 
1. host_c contacts host_a on port 80.
2. host_a NATs this to host_b port 8080
3. host_b receives the connection, thinking it comes from host_a 
directly (source IP remains the same)
4. host_b replies to host_a with a SYN_ACK for port 8080
5. host_a recieves the syn_ack for host_b port 8080 and rejects this, as 
it never tried openeing a connection to that host on that port.
 
To get this to work you will have to double NAT (both NAT source and 
destination address). Change the destination address from host_a port 80 
to host_b port 8080 and MASQUERADE the source address. That way host_b 
will think the connection comes from host_a and replies accordingly. 
host_a then NATs all back to host_c.
 
Should be something like:
iptables -t NAT -A PREROUTING -s 10.5.1.150 -d 10.5.1.100 --dport 80 -j 
DNAT --to-destination 10.5.1.200:8080
iptables -t NAT -A POSTROUTING -s 10.5.1.150 -d 10.5.1.200 --dport 8080 
-j SNAT --to-source 10.5.1.150
 
for testing, set the filter tables policies to ACCEPT, so only NAT is 
used. Apply only the previous NAT rules to the nat table.
 
-Sietse
 
PS: Could you forward this message to the list. I cannot send it there, 
as I'm using OWA, which is HTML only and the list only accepts clear text.
 

------------------------------------------------------------------------
*From:* Snehasis Sinha
*Sent:* Mon 18-Sep-06 14:11
*To:* netfilter@lists.netfilter.org
*Subject:* iptables - port forwarding in LAN

Hi,

I am trying to port forward in a closed (not connected to real internet or outside network) network (LAN) to a machine; but could not do it successfully. the senerio is:

I have a host_a (10.5.1.100), host_b (10.5.1.200) and host_c (10.5.1.150) connected among themselves. from host_c i am accessing http service at host_a using http://10.5.1.100:80. I can access tomcat server using http://10.5.1.200:8080, from host_c. now I want to use http://10.5.1.100:80 to access 10.5.1.200:8080 from the same host (host_c), ie. all http requests targetted to 10.5.1.100:80 should be redirected to 10.5.1.200:8080, so that pages from host_b:8080 comes to host_c but appear to come from host_a:80

how to do that using iptables. please advise.
thanks in advance

-snehasis